Extend context using the command line - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-05-06
Last date published
2024-09-09
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSIAM/Cortex-XSIAM-Documentation
Abstract

Extend context to retrieve additional data from integrations or commands and map to fields. Extend context from the Cortex XSIAM CLI.

You can extend context either in a playbook task or directly from the Incident/Alert War Room command line. Whichever method you use, recommends that you first run your command with the raw-response=true flag. This will help you identify the information that you want to add to your extended data.

  1. Run your command with the extend-context flag !<commandName> <argumentName> <value>extend-context=contextKey=JsonOutputPath.

    For example, to add the user and manager fields to context use the ad-get-user command, as follows:

    !ad-get-user=${user.manager.username} extend-context=manager=attributes.manager::attributes=displayName

  2. To output only the values that you set as Extend context, run the command with the ignore-ouput flag=true. !ad-get-user=${user.manager.username} extend-context=manager=attributes.manager::attributes=displayName ignore-output=true

    Example

    By default, after adding an IBM Qradar v3 integration instance, offenses pulled from QRadar to Cortex XSIAM returns numerous fields, including event_count, device_count,offense_type, description, etc. You can use extend context to show, which additional information is available. You can also use that information to map it to a field in Cortex XSIAM.

    • Run the command !qradar-offenses-list raw-response="true". From the context data, you should see that there are a number of fields that are returned.

    • Identify the fields that you want to view and run your command. For example, to retrieve the number of devices affected by a given offense, as well as the domain in which those devices reside, run the following command:

      !qradar-offences-list extend-context=device-count=device_count::domain_id=domain_id